01267: Site.PageActions login/logout problem

Summary: Site.PageActions login/logout problem
Created: 2011-10-05 18:30
Status: Open
Category: Bug
From: tguthrie
Priority: 3
Version: 2.2.33
OS: n/a (reproduced on pmwiki.org)

Description: Reproducing the symptom:

  1. While logged out, browse http://www.pmwiki.org/wiki/Site/Site?action=edit
    The "Password required" page appears.
  2. Type in a nonsense password string.
  3. "Password required" page re-appears but now the "logout" menu option appears in the PageActions set, even though the login was unsuccessful.

It seems to me that the PageActions logout menu item is present whenever the "user-entered passwords" array has received an attempt (i.e. any time the array is not empty), rather than testing whether any password in the array provides access to the requested page.

This behavior confuses administrators trying to debug password protected wikis and/or editing GroupAttributes pages (e.g. me :-) because it's impossible to tell whether the site's configuration is incorrect vs. just a mistyped password. That is why I rated it as medium priority.

It is not a bug, it is designed this way. Any group or page can have individual read, edit, upload or attr passwords, all pages and actions are not checked when you try to access a single page/action, that's why PmWiki will remember that you know the password you entered. So if subsequently you try to access a page which requires that same password, you will not need to enter it again. The "Logout" item is wrapped in a conditional (:if enabled AuthPw:) which is true when a visitor has entered some passwords. --Petko October 06, 2011, at 04:13 AM

Thanks for describing the conditional around the Logout. It lead me to several areas of the documentation and I am now better able to describe the issue. I'm sorry I chose the "bug" option; that's what it seemed like to me when I made the PITS entry.

My point is that most any user seeing the word "Logout" will think they have successfully logged in (i.e. provided a correct password). The PmWiki documentation on AuthPw points out that they would be mistaken: "This does not mean the user has entered the correct password, just that they entered one".

Given the current test, a different phrase would avoid giving the user the impression they had successfully logged in:
  (:if enabled AuthPw:) print "Clear Pwds" 
Alternatively, a test that considers whether a correct password has been supplied is more consistent with the word "logout":
  (:if [enabled AuthPw AND auth {$Action}]:) print "Logout" 

--Tguthrie, 14 Oct 2011